samba - Aug 2005 - net ads join on AIX 5.2 - Mission Impossible ?

Hi all,
is it possible at all to get Samba 3 on AIX 5.2 to join a Win 2003 Domain
natively ? All the precompiled versions do not have AD Support and having AIX
krb5 installed (let alone using --with-ads)is enough to make a compile run fail
- both 3.0.14 and 3.0.20rc2. Might Heimdal solve this ? Has ANYONE got a working
installation ?
Solving this would make quite a difference to my current life, so any advice
would be appreciated.
TIA & regards 
Dan

samba@lonx.net wrote:
> Hi all,
> is it possible at all to get Samba 3 on AIX 5.2 to join a Win 2003
 > Domain natively ? All the precompiled versions do not have AD Support
 > and having AIX krb5 installed (let alone using --with-ads)is
enough
> to make a compile run fail - both 3.0.14 and 3.0.20rc2. Might Heimdal
> solve this ? Has ANYONE got a working installation ?
> Solving this would make quite a difference to my current life,
> so any advice would be appreciated. 
Yeah.  Been there.  Done that.  AIX 5.2, samba 3.0.14
I went the route of installing the linux affinity toolkit.
Used gcc to compile.  Use at least gcc 3.x
http://aixpdslib.seas.ucla.edu/index.html has a good gcc.

Compiled and installed openldap to /usr/local/openldap
just to link against samba.
Compiled and installed Kerberos to /usr/local using rpm
so if IBM ever got the development files up to speed it
would be easy to uninstall & switch back.  At the time, last
year, IBM Kerberos didn't support rc4-hmac either.

In configure use CPFLAGS, CPPFLAGS, & LDFLAGS to insure
the paths picked the homebrew versions.
I had a special account to log in where LIBPATH and PATH
would pickup the homebrew and linux affinity directories
before the system ones.

When I was done, not only did samba work in "ADS = security" mode,
but I could use the kerberos utilities natively with the
MS AD as the key distribution center.

I had to turn off sendfile because, although the test machine
worked fine, the production machine ran out of file handles
about 3 hours into the workday.  Couldn't even reboot cleanly.
Total lockup.  That was several months ago, maybe rc20 fixes that.
I wouldn't know.  Never figured how to simulate the load
on the development machine.

I set "winbind trusted domains only = yes" because I had NIS
and an identical user name correspondence between windows and
unix.  Used idmap_ad before it was rolled into the distribution
for winbindd resolution.  Didn't test other modes.

Regards, Doug